Privacy Policy
Last updated: 6 July 2026
We collect the minimum data needed to deliver the EU AI Act Compliance Sprint service. We do not sell, rent, or share your data with third parties for their own purposes. This policy explains what we collect, why, where it lives, and how to exercise your rights under the GDPR.
1. Data we collect
- Account email — used to send sign-in magic links and any agreed engagement correspondence.
- Self-assessment answers — used to generate your Article 50 scope verdict. Stored on a server-side SQLite database.
- Disclosure intake form data — used to draft your Article 50 disclosure package. Stored on the same server.
- Stripe payment metadata — transaction id, amount, billing address, VAT ID, and card last-4. Card numbers never touch our server.
2. What we don’t collect
No tracking pixels, no third-party analytics, no advertising cookies, no fingerprinting. The site uses Cloudflare for edge security only; Cloudflare logs are governed by their own privacy notice.
3. Data processors
We use the following third-party processors to deliver the service:
- Stripe (Payments Europe Ltd., IE) — payment processing. Stripe acts as our data processor for transaction data.
- Cloudflare (Cloudflare Ireland Ltd.) — edge security, content delivery. Acts as data processor for HTTP request metadata.
- Google Workspace (Google Ireland Ltd.) — business email ([email protected]). Acts as data processor for correspondence.
- GitHub (GitHub B.V., NL) — workspace and source-code hosting. Acts as data processor for repository data; sensitive prospect material is not committed.
4. International transfers
Some of our processors (Stripe, Cloudflare, Google, GitHub) transfer data outside the EEA under Standard Contractual Clauses or equivalent adequacy decisions. We do not transfer your data to any third country without a valid GDPR transfer mechanism.
5. Where it lives
In production, data is stored in EU regions (SQLite-compatible provider such as Turso / Neon, Stripe EU region). In development the SQLite file lives on the local filesystem.
6. Retention
- Operational data (engagement records, signed deliverables, audit logs): 7 years, aligned with AI Act Article 12 lifetime-traceability expectations.
- Magic-link sign-in logs: 30 days.
- Stripe transaction records: per Stripe’s retention policy (typically 7 years for tax/AML purposes).
7. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to lodge a complaint with a supervisory authority. To exercise any of these rights, email [email protected].
The Irish supervisory authority for data protection is the Data Protection Commission (DPC), 21 Fitzwilliam Square South, Dublin 2, D02 RD28.
8. Security
We use TLS everywhere, store secrets in a gitignored vault (not in source code), restrict access to production systems on a need-to-know basis, and rotate credentials periodically. Despite our efforts, no system is perfectly secure; if you believe your data has been compromised, please email [email protected] immediately.
9. Changes to this policy
We may update this policy from time to time. Material changes will be announced on concura.io with at least 14 days’ notice. The “Last updated” date at the top of this page reflects the current version.
10. Contact
Questions about privacy? [email protected].
Working draft, not individually reviewed by counsel. Patrick to obtain counsel review before treating as binding in any specific dispute (€200–400 budgeted).
